Topic: Help modeling a User/Group permission structure

Hello,

As a learning exercise, I've worked through some rails tutorials and am now trying to create something a little more complicated. I'm trying to extend a blog application into more of a cms with a basic user/group permission system.

Basically, I have Users, Articles and Groups.  Users can have a role of either: Author or Viewer.  Some articles are private and some are public.  For private articles, I'd like to have a system where an article can be permissioned to either a group or to an individual user
or even both.

When a website visitor tries to access an article AND the article is 'Private', I'd like for the system to prompt the visitor to login. Once logged in, I want the system to then check if this user has permission to view the article.  Permission being defined as:  if this
user is either in a group that has permission to the article OR the user himself has explicit permission to that article.

Here's what I currently have - does this make sense?  I'm mostly
struggling with the Article_Private_Access model (but I'm open to any other suggestions) and whether this is a good approach.


Users:
  name
  email
  password
  role     (role is either 'Author' or 'Viewer')


Group_Users
  group_id
  user_id


Groups:
  name


Articles
  user_id
  access_type  ('Private' or 'Public')
  title
  body


Article_Private_Access   (** this serves to link Articles with permissioned Users or Groups)
  article_id
  access_type  ('Group' or 'User')
  access_id    (this id would point to either a User record, or a Group record)


*****


User model:
  has_and_belongs_to_many :groups
  has_many :article


Group model:
  has_and_belongs_to_many :users


Article model:
  belongs_to :user


I'm just not sure whether to use the Article_Private_Access table and/
or how to model it.  I was thinking this table would contain a list of
Users and/or Groups that had access to a particular Article.  But I'm
a bit lost now....


Any help would be greatly appreciated.


Thanks.